Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine

Electric scooters have proved to be a convenient form of travel for some over short distances. Security researchers have highlighted another problem. As discovered, Xiaomi electric scooters bear serious vulnerabilities. Exploiting the flaws could allow an attacker to remotely hack the scooters and execute commands, such as sudden breaks.

Security Flaw Discovered In Xiaomi Electric Scooters

A researcher Rani Idan from Zimperium has discovered a serious vulnerability in Xiaomi electric scooters. As per his findings, the vulnerability could allow an attacker to take control of the machine. A successful remote attack could then result in sudden breaking or acceleration.

Reportedly, he discovered problems with the user authentication process of the scooters. Describing the details of his findings in a blog post, Idan stated,

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password.”

Precisely, the scooters keep no track of the authentication state as the password validation takes place at the app side only. As a result, it becomes easy for an attacker to exploit the bug by sending any malicious payload to execute desired commands. The attacker may be present anywhere within proximity of 100 meters from the target device.

Idan has demonstrated the exploit in the following video. It shows successful locking of the Xiaomi M365 scooters by sending crafted payload.

A Temporary Mitigation Might Help

The researcher confirmed that he has disclosed the flaw responsibly. However, Xiaomi hasn’t patched the bug yet despite knowing about the vulnerability since January 28, 2019. Even in their acknowledgment to the researcher, they confirmed their knowledge of the flaw.

Nonetheless, the researcher suggests users connect the Xiaomi app to their mobiles before riding, as a temporary mitigation.

“Once your mobile is connected and kept connected to the scooter an attacker won’t be able to remotely flash malicious firmware or lock your scooter.”